←back to thread

Max severity RCE flaw discovered in widely used Apache Parquet

(www.bleepingcomputer.com)
174 points andy99 | 10 comments | 4/6/2025, 5:21:00 PM | HN request time: 1.698s | source | bottom
1. formerly_proven ◴[4/6/2025, 5:47:00 PM] No.43603309[source]

As per the PoC, yes — this is the usual Java Deserialization RCE where it’ll instantiate arbitrary classes. Java serialization really is a gift that keeps on giving.

replies(2): >>43603416 #>>43603473 #
2. stefan_ ◴[4/6/2025, 5:58:00 PM] No.43603416[source]

I love how these always instantly escalate into trivial code execution / reverse shell. Remember kids, C is the enemy!

The "fix" in question also screams "delete this crap immediately": https://github.com/wgtmac/parquet-mr/commit/d185f867c1eb968a...

replies(2): >>43603502 #>>43603648 #
3. ◴[4/6/2025, 6:04:00 PM] No.43603473[source]
4. pclmulqdq ◴[4/6/2025, 6:08:00 PM] No.43603502[source]

This is a bug in Java. Java is considered "memory safe" because of its GC and its VM. This is not a memory safety bug.

replies(1): >>43605304 #
5. hinkley ◴[4/6/2025, 6:25:00 PM] No.43603648[source]

The fix still loads the class before checking if it’s okay.

That’s a smaller attack window but it’s still not zero.

replies(1): >>43604534 #
6. josefx ◴[4/6/2025, 8:07:00 PM] No.43604534{3}[source]

Java reflection can load classes without initializing them, so no untrusted code would have to be executed at that point.

replies(1): >>43604871 #
7. hinkley ◴[4/6/2025, 8:52:00 PM] No.43604871{4}[source]

I haven’t been in Java for a good while. When did they do that?

Static initializers used to load on Classloader calls.

replies(1): >>43605102 #
8. josefx ◴[4/6/2025, 9:27:00 PM] No.43605102{5}[source]

An overload for Class.forName with an explicit initialize parameter was added in Java 1.2 .

replies(1): >>43608222 #
9. chowells ◴[4/6/2025, 9:58:00 PM] No.43605304{3}[source]

It's true. No memory is being used in contravention of the language semantics. Absolutely memory safe.

10. hinkley ◴[4/7/2025, 5:53:00 AM] No.43608222{6}[source]

Except they don't call Class.forName(..., false, ...) anywhere in the codebase, so my original comment still stands.